Security and Compliance at Operations1

Effective date: August 1, 2024

Protecting personal and customer confidential information is our top priority. For the sake of our customers, our business ethics and values, we don't compromise or cut corners when it comes to data security. As part of that commitment, we operate with the utmost transparency. The following overview provides a high-level look at the ever-evolving security practices we have in place.

We’re compliant with the highest security and privacy standards

GDPR - Operations1 is evaluated regularly against GDPR privacy regulations. By complying with GDPR we prove our commitment to protecting personal information and enforcing a consent-based model to personal data processing.

ISO 27001 - Operations1 is committed to the highest standards of information security, and to this end, has adopted the ISO 27001 Information Security Management System (ISMS) framework. This framework is instrumental in the identification, implementation, and maintenance of the necessary assets, technologies, and processes that are critical for the safeguarding of customer information. The overarching goal is to ensure the utmost confidentiality, integrity, availability, and privacy of customer data, as well as the services that support this data. Since 2023 Operations1 is officially ISO 27001 certified.


General Information Security Policy

Protect Operations1 informational and IT assets (including but not limited to all computers, mobile devices, networking equipment, software and sensitive data) against all internal, external, deliberate or accidental threats and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.

Ensure information will be protected against any unauthorized access. Users shall only have access to resources that they have been specifically authorized to access. The allocation of privileges shall be strictly controlled and reviewed regularly.

Protect CONFIDENTIALITY of information. We ensure that all customer data is handled with the highest level of confidentiality. Access to data is restricted to authorized personnel only, based on the principle of least privilege, as mandated by our ISO 27001 certification.

Ensure INTEGRITY of information. We are committed to maintaining the accuracy and reliability of customer data. Measures are in place to prevent unauthorized alterations, ensuring data remains unaltered and trustworthy, in line with ISO 27001 controls.

Maintain AVAILABILITY of information for business processes. Our systems and services are designed to ensure maximum uptime and availability. We implement robust backup and disaster recovery processes to minimize the risk of data loss and service disruptions, as required by ISO 27001.

Comply with and, wherever possible, exceed, national legislative and regulatory requirements, standards and best practices.

Develop, Maintain and Test business continuity plans to ensure we stay on course despite all obstacles that we may come across.

Raise awareness of information security by making information security training available for all Employees. Security awareness and targeted training shall be conducted consistently, security responsibilities reflected in job descriptions, and compliance with security requirements shall be expected and accepted as a part of our culture.

Ensure that no action will be taken against any employee who discloses an information security concern through reporting or in direct contact with Information Security Management Leader, unless such disclosure indicates, beyond any reasonable doubt, an illegal act, gross negligence, or a repetitive deliberate or willful disregard for regulations or procedures.

Report all actual or suspected information security breaches to security[at]operations1.com.

Key security practices

1. Data Protection

  • Customer data is encrypted both in transit and at rest using industry-standard encryption protocols, as part of our ISO 27001 compliant information security management system (ISMS).

  • Data sent to or from our infrastructure is encrypted in transit using Transport Layer Security (TLS v1.2 protocol or a more advanced version). At rest, all data is subject to battle-proof encryption algorithms and stored using secret management services. Operations1 services ensure your data is always safe, secure, and private.

  • Data retention and removal is standardized and at the discretion of our users. All permissioned user data held by Operations1 is available to our customers for electronic retrieval for a period of 30 days after the expiration or termination of the contract. All data is then completely removed from Operations1 servers. Data owners, in consultation with legal counsel, may determine retention periods for their data.

  • Operations1 developed apps and backend infrastructure, the main entry points of user data, only allow client requests using strong TLS protocols. All communication between Operations1 maintained infrastructure and data platforms is transmitted over encrypted tunnels

  • Regular security assessments, including penetration testing and vulnerability scanning, are conducted to identify and mitigate potential threats, following ISO 27001 guidelines.

2. Access Control

  • Access to our systems is managed through strict authentication and authorization mechanisms, including multi-factor authentication (MFA) and role-based access control (RBAC).

  • Employees are granted access only to the data and systems necessary for their role, in alignment with ISO 27001’s principle of least privilege.

3. Incident Response

  • We maintain a comprehensive Incident Response Plan (IRP) that includes procedures for detecting, reporting, and responding to security incidents, in accordance with ISO 27001 standards.

  • Our Incident Response Team (IRT) is trained to handle security events swiftly, minimizing impact and ensuring timely communication with affected parties, as required by our certification.

4. Security Monitoring

  • Continuous monitoring of our systems is conducted to detect and respond to security threats in due time.

  • Logs are maintained and reviewed regularly to identify suspicious activities and potential security breaches, adhering to ISO 27001 logging and monitoring requirements.

5. Compliance

  • As an ISO 27001 certified organization, we comply with all relevant data protection laws and industry regulations, including GDPR.

  • Regular audits are performed to ensure compliance with legal and regulatory requirements.

6. Third-party Security

  • We assess the security posture of third-party vendors and partners before engaging in any business relationship.

  • Contracts with third-party providers include strict security and confidentiality clauses, ensuring they adhere to our ISO 27001-certified security practices.

  • We take all necessary infrastructure precautions. All of our services run in cloud environments. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Cloud providers we use regularly undergo independent verification of security, privacy, and compliance controls against the following standards: ISO/IEC 27001, ISO/IEC 27017, SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, CSA Star, FedRAMP, and many others.

7. Employee Responsibility

  • All employees receive regular training on security best practices, with a specific focus on maintaining our ISO 27001 certification.

  • Employees are required to report any suspicious activities or potential security incidents immediately to the Information Security Team.

  • Our security team is constantly improving the security of our organization and is trained and certified in security threat detection and incident response, security engineering, penetration testing, application security, security management compliance and latest security best practices.


Secure code: transparent development with security in mind

Protecting customer data from modern threats requires that products developed through our services prioritize security at every stage. The following practices ensure a high level of security in our software:

  • Security-Centric Culture: We foster a corporate culture dedicated to security by embedding it into every aspect of our software development process.

  • Framework Compliance: Our code is assessed using industry-recognized security frameworks, including the OWASP Secure Coding Practices. This ensures that our development is aligned with best practices.

  • Continuous Developer Training: Developers undergo regular security training to stay informed about common vulnerabilities, emerging threats, and secure coding best practices.

  • Code Reviews: We systematically review our code to identify and rectify security vulnerabilities before they become risks.

  • Infrastructure and Software Updates: We regularly update our infrastructure and software to eliminate known vulnerabilities, ensuring our systems are protected against new threats.

  • Penetration Testing: External penetration tests are conducted regularly on our production environments to proactively identify and address potential security issues.

  • Application Security Monitoring: Our advanced security monitoring solutions provide us with the visibility to:

    • Identify attacks and respond quickly to breaches

    • Monitor exceptions, logs, and detect anomalies in our applications

    • Collect and store logs to maintain a comprehensive audit trail of application activities

These practices are designed to protect sensitive data and uphold the highest standards of software security.


We encourage responsible disclosure

If you discover vulnerabilities in our application or infrastructure, we ask that you alert our team by contacting security[at]operations1.com and please include a proof of concept in your email. We will respond as quickly as possible to your submission and won’t take legal action if you follow the responsible disclosure process:

  • Please avoid automated testing and only perform security tests with your own data

  • Please include a proof of concept in your email

  • Do not disclose any information regarding the vulnerabilities until clear approval is given


This policy underscores our commitment as an ISO 27001 certified company. By adhering to these principles and practices, we ensure the security, integrity, and availability of our services, fostering trust with our customers and maintaining our certification.